Demystifying the MLB’s First Hacking Scandal and Its Fallout

On Jan. 30, Major League Baseball Commissioner Rob Manfred announced harsh penalties for the St. Louis Cardinals, whose former scouting director Chris Correa had perpetrated baseball’s first-ever cybercrime: hacking the Houston Astros’ email system and draft database in 2013 and 2014. Aside from banning Correa from baseball for life, Manfred made the Cardinals pay the Astros $2 million and hand over their top two picks in the 2017 draft.

To put things into perspective, what Correa did was the digital equivalent of a player using Performance Enhancing Drugs; he gained an unfair draft advantage for the Cardinals by digging into “… the Astros’ medical evaluations of possible draft picks, internal scouting reports, and trade discussions with other teams,” per ESPN. Like a juiced-up player winning more games for his team, Correa likely sent reverberations throughout his team’s (and Houston’s) farm systems for years to come. How many draft picks did the Cardinals “steal” from the Astros? Are they still in the Cardinals’ farm system? Would the Astros be a stronger contender had they received these players? The potential ripple effects go on and on.

A federal jury didn’t take Correa’s actions lightly, sentencing him to 46 months in prison and fining him $300,000 last January. Since his sentencing, though, Correa has stood by allegations that the Astros had, in fact, swiped information from the Cardinals first. Could the issue be more pervasive than just this one isolated case? “It was inevitable that there would be a sports team or teams that would suffer some form of breach,” says cybersecurity expert Adam Levin, who is the chairman and founder of CyberScout. Levin says he wouldn’t be surprised if hacking were going on in other sports—and that instances like this one were just not being publicly reported. In terms of baseball, “the question was: Was it going to involve tickets, personal identifiable information of customers, of employees? In this case, it involved trade secret intellectual property,” explains Levin. But he’s quick to note that Correa’s hack wasn’t altogether novel: “Corporate espionage has been going on for decades … maybe since the beginning of time, so this is just another form.”

What does set the MLB hack apart from those that seem to be happening everywhere these days—whether they be last October’s crippling internet hack or Russia hacking the 2016 presidential election—is that it seemingly came out of nowhere. “Major League Baseball had a heck of a wakeup call,” says Levin. Hence the reason why Commissioner Manfred’s punishment was so unprecedentedly harsh. Explains Levin of Manfred’s actions:

“I think it was ‘I want to send a strong message (a) that teams need to adopt a culture of privacy and security for themselves; and (b) people [and teams] who think they can engage in this kind of conduct … [are] going to be in trouble.”

For Levin, who last year published a book on cybersecurity entitled, Swiped, the bigger picture is the need for a change in culture. Paraphrasing famed management consultant Peter Drucker, Levin puts it like this: “culture eats strategy.” In short, “you have to create a culture of privacy and security, whether it’s in your home or a government agency or a business.” This includes updating passwords regularly and creating ones that are difficult to guess. (That’s how Correa breached the Astros’ system.) Levin even foresees instances of “ransomware,” or malicious software that blocks access to a computer system until a “ransom” is paid, crippling sports teams.

In sum, this won’t be the last time you’ll hear of hacking in baseball. It’s just the beginning.